Shortcuts

Poster Presentations

There was a special poster display area in the building where the parallel sessions were held. Presenters were available in the poster display area for questions and discussion during the afternoon coffee breaks on Tuesday and Wednesday. The posters will be published in PDF form very soon.

An increasing number of threats, for example worms, viruses, Trojans, spyware, backdoors and keyboard loggers, menace our daily activities in the digital world. They highly eroded the trust of end-users and companies in the digital world. The monitoring and early detection of cybertattacks thus became of highest importance.

The NoAH (Network of Affined Honeypots) project, partly funded through the European's Commission 6th Framework Research Program, addresses these threats by designing and prototyping an infrastructure that enables early detection, monitoring and fingerprinting of cyberattacks. The NoAH project integrates traffic redirectors, low-interaction and high-interaction honeypots in a geographically-dispersed early warning system. This is a highly original approach, compared to the existing systems. Several software components were extended or developed by the project.

Honey@home is a tool developed by the group at ICS/FORTH that redirects traffic sent to unused IP addresses towards the NoAH infrastructure. Honey@home was specifically designed for users not familiar with honeypot technologies and for organizations/companies that cannot afford maintaining their own infrastructure.

The high-interaction honeypot is based on the Argos emulator, developed by the collaborators from the Vrije Universiteit Amsterdam. As the Argos environment tracks the execution of suspected malware instruction by instruction, it has to possibility to detect threats based on the behaviour of the code rather then a pre-determined signature. A signature can be rapidly generated once the suspected code has been positively identified as malware.

Deploying virtual machines is a good way to build user-controlled clusters in a shared physical infrastructure. Virtualisation brings obvious benefits, e.g., the use of individualised environment (OS) distribution, libraries and applications, enabling users to plan their virtual resources. On the other hand, when talking about virtualisation, users are often worried about losing computation power and network throughput.

In order to determine whether the overhead of contemporary virtualisation tools is affordable, we measured UDP and TCP network throughput in Xen and VServer virtual machine monitors in a real cluster environment and compared it to performance of physical machines. In addition to network performance achievable by a single virtual machine, interactions with another virtual machine (either network or CPU bound) were measured to determine the possibility of several virtual machines running concurrently.

High numbers of virtual machines require many distinct IP addresses, which is not possible with IPv4. As we expect the addresses to be permanent and publicly accessible, IPv6 must be used. We therefore compared IPv4 and IPv6 performance in order to determine the practical usability of IPv6 in large virtualised computation infrastructures.

"Porto Digital": the City of Porto
Gil Coutinho and Mário Serrão, Universidade do Porto, Portugal

The city of Porto is currently involved with the final stages of the project "Porto Digital", included in the Portuguese initiative "Cidades e Regiões Digitais" (Digital Cities and Regions). The orientating guidelines aim both to develop a Society of Information and Knowledge and to make it available for everybody.

The creation of an optical fibre communication infrastructure that would support the project and make its results available to the society is itself a subproject, coordinated by the University of Porto.

The geographical span of the network (the city of Porto) and the institutional nature of its operator and subscribers (universities, local administration, health institutions, etc.) make it a community operated metropolitan area network, with an open access methodology.

The solution developed for the network is based on the Virtual Private LAN Services (VPLS) model, implemented over a multiprotocol label switching-enabled IP backbone, which was created specifically for this project.

This poster outlines:

the passive (optical fibre) infrastructure topology;

the active network architecture and topology;

the way VPLS instances can be used to provide different kinds of services to subscribers and 4) the current status of the project and future developments.

GlobalSign would like to help TERENA increase the value proposition for TERENA’s NREN members by enhancing the portfolio of digital certificate-based products and services it delivers to TERENA.

Institutions of higher education have an increasing need to process and distribute official electronic documents to students, alumni, faculty, and other institutions. It is essential that these recipients have complete confidence in the originality of the documents and the fact that the contents have not been altered in any way - i.e., that they are "authentic". The most pressing need stems from the latest requirements to provide electronic diplomas.

Certified Electronic Diplomas allow students to attest to their qualifications and employers to be confident in the information provided. At the same time, the brand/image of the issuing institution/university is both enhanced and protected. GlobalSign is able to provide a key component of the trust model - a digital certificate which is fully trusted by Adobe's PDF reader, thereby proving authenticity of higher education documents on a global scale.

The University of Coruña has finished a technological updating process of its communication network. It started from a situation in which there were different networks for the requirements of the different services. There were non-global networks, which were configured according to the requirements of each centre and each moment. So there was a network for the telephone system, networks for investigation and other networks for the administration. The network serves 42 buildings, on eight campuses, in two cities.

The objectivewas to update the University of Coruña network technologically in order to increase its capacity and to support new services which have completely different communication needs. These services will use a single infrastructure, homogeneous and transparent, so the new network must conceal the diversity of the physical infrastructure by showing a topological structure of a homogeneous network to the top layers. Among these services there are the following: Virtual Campus, on-line training, voice over IP, video service-on-demand and digital television.

The technologies used in the new network are organised in different levels. The first level uses CWDM over the physical layer and provides the transport of the technologies used in the top layers. Over this CWDM network is installed a backbone intercampus with 10 Gigabit Ethernet technology to which different technologies are connected, such as: 10 Gigabit Ethernet, fibre channel, ATM, circuits E1, Gigabit Ethernet, ADSL, HDSL, etc. It is necessary to provide the redundant mechanisms and the necessary gateways for the connection among the different technologies which ensure their transparency. Finally, a Gigabit Ethernet switched connection is offered to each user at the top layer.

Academic and scientific research operates on an increasingly global scale. GÉANT2 and its NREN partners now provide dedicated End-to-End (E2E) circuits between distributed research centres on a continental and inter-continental scale. This creates "virtual private networks" to support the huge amounts of data generated by certain research projects.

Co-ordinating the monitoring of such dedicated circuits creates new challenges since each section of a particular E2E circuit often lies in a different NREN, each with its own approach to NOC monitoring, troubleshooting of equipment and liaison with various Telco providers. To meet these challenges, GÉANT2 has created the End-to-End Co-ordination Unit (E2ECU), which will be overseen by DANTE, to monitor these E2E circuits.

Special monitoring servers installed by GÉANT2 and many NRENs collect information from the local equipment in the path of the E2E circuits. These servers are a result of the GÉANT2 research activity, perfSONAR. Once the information has been collected, the servers are then queried by other monitoring tools feeding vital networking information back to engineers at the E2ECU. The E2ECU allows the NREN and GÉANT2 NOCs to spend more time implementing, trouble-shooting and maintaining their networks, thereby providing researchers with a stable network for crucial data transfers.

The ArcoIris Project
Paolo Gaspari, University of Camerino, CINFO, Italy

The ArcoIris project was started because of the necessity to connect all of the university campuses, situated in different towns, whose distance from the central seat takes about 30', 70', and 90' by car. Thus, the project makes it possible for all students and teaching staff in the remote campuses to use digital services (i.e., data and voice) provided by Unicam for supporting teaching and research.

ArcoIris is a radio bridge consisting of eight routes for a total of 104 Km. It is built using PDH narrow-band technology on 18 and 13 GHz radio frequencies. At present, the radio bridge can transport 34+2 Mbps full duplex, i.e., an Ethernet flux + 1 x E1 WSC. Further implementations (with hardware upgrade) will enable it to reach a speed of 155 Mbps.

ArcoIris is a step ahead in the use of CDN connections provided by Telecom Italia both on the basis of the data transport speed and on costs related to use. It actually performs a backbone connecting the Adriatic seaside and the central Italy hinterland.

Since all network planning has now been done and the official communication about frequency concession by the Ministry of Communication has been obtained, the project can now be implemented.

The project has already received funding of 40.000 euro from the Department for Innovation and Technology, from the President of the Council of Ministries.

While traditionally, a high-priority network path between endpoints and the MCU would be used, this method is static and thus is cumbersome, time-consuming and error-prone. We propose a dynamic signalling mechanism triggered from the MCU to the network routers, which sets up a priority path to serve a videoconference dynamically. The signalling is initiated when participants enter an MCU (hence its dynamic nature). Our proposed mechanism automates heavy manual network provisioning. No extra signalling (i.e., RSVP) is required from the end user.

The signalling is based on a modified BGP routing daemon that advertises videoconference participants as network routes. The signalling is mapped to a vendor-specific QoS implementation commonly expressed in DiffServ architecture terms (i.e., PHBs). This mechanism can easily be extended for use across federated environments spanning multiple NRENs with cascaded MCUs. The added value of our work is that can be used on any type of fixed point-to-multiple-point (P2MP) dynamic QoS establishment with a static resource profile.

BalticGrid started in 2005 with its main goals to extend the European Grid by integrating new partners from the Baltic States (Lithuania, Latvia and Estonia) into the European Grid research community and to foster the development of Grid infrastructure in these countries.

Another important task of the project is to bring the knowledge of Grid technologies and use of Grids in the Baltic States to a level comparable to that in the EU member states with a longer experience in the development, deployment and operation of Grids.

In the first 18 months of the project BalticGrid consortium has:

installed 26 EGEE-certified clusters with more than 900 CPUs in total and 95 TB of storage space;

concluded Service Level Agreements between the BalticGrid project and three NRENs of the Baltic countries to provide reliable network connectivity for the Grid clusters;

developed and adapted to the Grid environment several applications for different areas of science, and has established Special Interest Groups: Baltic Sea Eco-System Modelling, Text-to-Speech, Text Annotation, Stellar Spectra Computing, Atomic and Nuclear Computing, Computer Modelling;

organised many interesting events including Grid Open Days, BalticGrid All-Hands Meetings, and summer schools to raise awareness and education of the grid users.

The poster illustrates the achievements of the BalticGrid project including the established infrastructure and Grid clusters, different application areas targeted and future plans as well as the contact details.

With virtually every computer connected to the Internet, and thus exposed to security hazards, end-systems security can no longer be considered in isolation from the network's security. The network is at the same time the place where worms are spread, botnets are created and commanded to launch Denial of Service attacks, but also the place where most of these security threats can be discovered as "network anomalies" and countered, provided network operators have the appropriate tools and know-how in place.

Network Anomaly detection and investigation in the GÉANT2 core can play a significant role in network security, complementing and enhancing the work done by the single NREN's CERTs (Computer Emergency Response Teams): these teams perform their work with their visibility limited to the traffic exchanged within the NREN itself and at its GÉANT2 peering points, while DANTE has the visibility of the backbone.

The fundamental data source for Network Anomaly detection in the GÉANT2 core is Netflow data, which is collected at every GÉANT2 peering point. Even though the Netflow engine on GÉANT2 routers samples only 1/1000 packets, there is a wealth of information that can be derived from it. In this poster we show how, with the aid of a Netflow post-processing tool (Nfsen, developed by SWITCH) and its interesting “Holts-Winters” extension (developed by HUNGARNET), we can spot and investigate malicious traffic transiting in the GÉANT2 core. It is DANTE's plan to evolve this activity into a production service, within the framework of GÉANT2 Joint Research Activity on Security (JRA2).

SURFnet6, the new national research network in the Netherlands, is a hybrid optical network. It provides both high-capacity lightpaths and layer3 IP services. This poster focuses on the security of SURFnet6. More specifically; it focuses on the risk of unauthorised observation (tapping) into optical networks. We show several scenarios for tapping and show how these could be thwarted. The main conclusion is that unauthorised observation of an optical network is possible but that it is extremely difficult to implement and that it is straightforward to detect in a properly monitored network. There are two main difficulties that complicate a tap attempt:

the required equipment for tapping is complex, which would make it easy to detect such an attempt;

state-of-the-art optical fibre transmission systems are equipped with management systems that would raise alarms during the handling of the fibres that an attempt would require.

With respect to tapping at equipment sites, the risk is believed to be small because the attacker would not be able to enter these sites, in practical situations, since they are supposedly well-guarded. Therefore, the 24 x 7 surveillance of the sites where the optical transmission equipment is located is essential in order to substantiate the low risk of an optical network being eavesdropped. If a sophisticated eavesdropper would succeed in tapping an optical network, encryption and coding of the traffic provides a second hurdle which needs to be overcome to make eavesdropping worthwhile. Therefore, encryption remains important in optical networks.

Performance Issues Related to Web Service UsageV.F. Pais and V. Stancalie, National Institute for Laser, Plasma and Radiation Physics, Romania

An increasing number of applications are starting to use Web Services for data transfer and remote resource access. This new type of network usage needs to be integrated with existing services.

For the purposes of a national research project, "Research on laser-atoms, laser plasma interactions, towards inertial confinement fusion", project TICF, it was decided to use Web services to provide remote data access and remote processing for distributed applications. Several tests were conducted to see how the new network traffic can be integrated in the existing infrastructure and what would be the impact of their usage over existing applications, like videoconferencing, e-mail, data transfer, screen sharing and remote access. The aim of these tests was to determine the quality of service (QoS) requirements, the amount of data sent in excess of the useful data (due to XML encapsulation) and ways to increase the overall performance by using caching at different points in the network and compression mechanisms.

This poster presents the software suite we developed for planning and monitoring lightpaths in SURFnet6 and NetherLight. SURFnet6 is a hybrid network which consists of a traditional routed IP part and an optical circuit-switched part with 'lightpath' services. Lightpaths are dedicated high-speed circuits with a capacity of typically 1-10 Gbps and with well-defined QoS parameters. These lightpaths are also available on NetherLight, Europe's largest Optical Exchange in Amsterdam.

The lightpath service is new and there is not much software available yet for managing this service. Our software suite allows the NOC to find optimal paths between two points in the network and to make lightpath reservations. It also contains several monitoring tools that are used in both SURFnet6 and NetherLight. In addition, several other Optical Exchanges are currently testing the software.

The software suite consists of several building blocks. SARA's TL1 Toolkit is used to automatically retrieve topology and configuration information from the network. The configuration information such as crossconnects and timeslots used, as well as the alarm information, which is stored in a Network State database. The topology information is used to automatically generate a topology file using the Network Description Language (NDL) framework developed by the UvA. The planning and monitoring tools read the information from the database and the NDL file and present a Web interface to the user.

The active network approach allows an individual user to inject customised programs into active nodes in the network, usually called programmable/active nodes, and thus process data in the network as it passes through. As the speeds of network links continue to increase, and subsequently, the applications' demands for the network bandwidth increase as well, a single active node is not feasible to process such high-bandwidth user data in real-time, since the processing may be fairly complex (e.g., high-quality video down-sampling for videoconference clients with low bandwidth connectivity).

The poster presents the architecture of DiProNN node - the VM-based Distributed Programmable Network Node that improves the scalability of such an active system with respect to number of active programs simultaneously running on the node and with respect to the bandwidth of each passing stream processed. Since the node is primarily meant to perform stream processing, and to make programming of stream processing applications for DiProNN node easier, we also propose a suitable modular programming model. To make DiProNN programming more comfortable, the model takes advantage of DiProNN virtualisation - using standard network services the DiProNN node interconnects standalone special-purpose active programs into a complex processing system.

Telefónica I+D, within the objectives and activities of IST MUPBED project, present a poster describing two main topics: the interconnection of its testbed with the rest of the testbeds present in the project and the integration of its multi-partner videoconference application with the MUPBED Network, as a means of validating both the control and data plane solutions implemented by MUPBED together with the adaptation function developed in WP2.

The poster is divided into four sections:

TI+D Test Bed Interconnection, where the Control and Data Plane interconnections from TI+D to the rest of the MUPBED partners are briefly described. It also contains the particular scenario prepared for the application demo TI+D will carry out during the event.

Multi-partner Videoconference Application, where the application features are listed, together with the application development activities.

Application Provisioning, where it is described how the application Provisioning Tool has been adapted to the MUPBED Network and Adaptation Function.

Application - Network Integration, where the integration activities with the MUPBED WP2 and WP3 outcomes is shown.

KnowARC Grid-enabled Know-how Sharing Technology Based on ARC Services and Open Standards) is a research and development project funded from 2006 to 2009 by the European Commission's Sixth Framework Programme through Directorate F: Emerging Technologies and Infrastructures, of the Directorate-General for Information Society and Media, under the Information Society Technologies Priority. It comprises ten partners from seven European countries and concentrates on development in the area of Grid technologies.

KnowARC improves and extends the existing state-of-the-art technology found in the ARC Grid middleware. The project aims to significantly increase awareness and usage of next-generation ARC middleware. The result of the project will be the extension of ARC to be standards-compliant, interoperable Grid software, offering foundations for know-how sharing services for business and society. KnowARC will transform ARC into coherent, functional next-generation Grid software of industrial quality, ready for deployment on a variety of computing platforms and will be included in various operating system distributions.

On the basis of recommendations from the Swiss Virtual Campus (Berne, 2005), the Open Access Declaration (Berlin, 2003) and requirements set up by over 30 representatives from the Swiss institutions of higher education in 2006, SWITCH will establish an (inter)-national learning object repository (LOR) with the following specifications:

support object format conversion for different types of learning management systems (LMS).

ease of use: Teachers and authors must be capable to upload and download contents to the LOR quickly and easily. Simple and automated metadata-model.

Tests in 2006 proved the feasibility of such a service. The federated LOR architecture, based predominantly on open source products, is aimed at achieving a compromise between 'customisability', independence and interoperability.

A pilot LOR-Federation will be made available in summer 2007. The regular LOR service open to all Swiss institutions of higher education, including their (inter)-national partners is expected to become operational in 2008.

GRNET, the National Research and Education Network of Greece, is currently migrating into owned-fiber infrastructure consisting of fiber pairs acquired in the form of 15 year IRU contracts. GRNET has already acquired IRUs for a total of approximately 6000 km of fiber pair links. This next-generation GRNET network is called GRNET3.

GRNET3 is designed to be a hybrid network where circuit switching services are provided in addition to traditional packet switching services over owned DWDM infrastructure. More specifically G.ASON/GMPLS enabled next-generation SDH switches will be deployed at four major Greek cities. These switches will be inter-connected via dedicated 10Gbps DWDM WAN lambdas and will provide multiple 1Gbps access interfaces to selected GRNET3 clients (e.g., GRID nodes). The tributary signals will be GFP-F encapsulated to the 10Gbps WAN lambdas. In this way on-demand guaranteed bandwidth connections can be established among selected GRNET3 clients either manually via the NMS or automatically via the G.ASON/GMPLS control plane.

GRNET3 follows an innovative client aggregation architecture for these clients that are expected to exceed the existing 1Gbps capacity threshold within the immediate future; dedicated 10Gbps lambdas will be implemented connecting each client's border router with a 10Gbps capable Ethernet switch located in Athens. The 10Gbps Ethernet switch will implement inter-vlan routing and will be connected to the rest GRNET3 packet network via a 10Gbps interface. The main incentive for implementing this aggregation architecture is to eliminate the number of 10Gbps interfaces on layer3 devices which are far more expensive than respective interfaces on layer2 devices.

In the European IST project MUPBED, the horizontal and vertical integration of networks and applications are considered. Horizontally, the integration is established by interconnecting different GMPLS and ASON-enabled networks, and vertically, the objective is to allow the clients to request bandwidth allocation in the network. This includes providing dynamics in the circuit layers, which are usually statically configured in today’s networks. This poster presents a graphical user interface (GUI) which is used to connect to the interoperable network control plane.

In the proposed vertical integration, the GUI client is provided to the users and their resource requests are transferred using Web services to an adaptation function (AF). Several GUIs can connect to a single AF, which, in turn, controls a User Network Interface towards the network. The AF receives connection requests and reserves resources in the packet and circuit layer of the transport network accordingly.

The GUI allows the user to use predefined application profiles or define and store custom profiles. Furthermore, any relevant feedback from the network regarding the requested reservations is provided to the user through the GUI.

The poster details the first version of the GUI including the AF, and the validation results from connection establishment in real networks are presented.

The poster presents an autonomous hardware-accelerated network monitoring probe. It is intended for collecting information about IP flows much like some routers do. The advantage of a stand-alone probe is its adaptability, mobility and throughput. For instance, the probe supports NetFlow v5 and v9 protocols and can also filter and export flow records to several collectors.

While different sampling types are implemented, sampling is not mandatory as the probe is able to handle gigabit traffic at line rate in both directions and for all packet sizes. The flow cache is able to store up to 256000 simultaneous flow records, which is comparable to high-end backbone routers.

Besides describing parameters of the probe, the poster gives a closer overview of the system architecture. The probe is based on a commodity PC running Linux OS with a network acceleration card. The card accelerates the time-critical parts of the flow monitoring process. The PC is responsible for the export of the collected flow statistics. Results from deploying the probes in the CESNET2 network and collecting network statistics are presented and compared to other available solutions. The FlowMon probe is being developed within the JRA2 activity of the GN2 project.

TERENA Task Forces are groups of experts who undertake joint work in their common areas of interest. Each task force has agreed terms of reference that are approved by either the TERENA Technical Committee or TERENA Executive Committee.

In principle, participation in task forces is open to any individual who can offer appropriate expertise, manpower, equipment or services. Those resources are donated by the task force participants or their organisations.

Currently, TERENA has seven task forces on a wide range of subjects.

Four posters outline the activities of the task forces TF-EMC2, TF-LCPM, TF-PR and TF-Mobility, their objectives and information on how to participate.